I then asked Google to find
django-csp
a model-less Django “app”
which adds Content-Security-Policy headers to
Django applications.
It works using a middleware and some decorators.
Especially the configuration
is well done.
It starts by stating:
“Content-Security-Policy
is a complicated header. There are many values you may need to tweak
here.”

CSP is important for applications that accept arbitrary
input from anonymous users.

This was complex.
For example I didn’t yet know that Django creates the test
database and loads any test fixtures before calling the setUp()
method.

Added a new method lino.core.actors.Actor.clear_handle
and manually call it in the database_ready handler
which configures the dynamic columns of
UsersWithClients:

When an actor has dynamic columns which depend on database
content, then its layout handle must not persist between
different Django test cases because a handle from a first
test case may refer to elements which no longer exist in a
second test case.

While trying to understand these reasons,
I started a new document Signals overview.